How to secure your company's passwords

There's some terrible password advice out there - like use one strong password everywhere. Don't do that. (Picture: Christiaan Colen, Flickr)

While many of the recent breaches like LinkedIn and Twitter have focused on the impact on consumers, rather than businesses, it doesn’t mean that companies can’t be the target, whether large or small. The reality: any data is valuable on the black market, and hackers are just itching to get their hands on yours. As a CEO, owner, or IT Manager at a company, you have a lot more at stake than just one consumer – so are you doing everything you can to protect the company from an attack?

When reviewing your company’s current list of vulnerabilities against hacking, one of the first things you should check off are your password habits. Reviewing these, and adding a few tools to your security toolbox, will help to make most hackers’ jobs more difficult – and you may even ward off an attack entirely.

1. Set up password strength requirements

This sounds like a given, but many companies still don’t enforce password strength requirements, which means their employees are using simple, insecure passwords. Or, they stop at telling employees what they should do, but don’t actually have a way to verify they are doing what they should be. As a company, you should require employees to create lengthy passwords including upper and lowercase letters, numbers, and characters. You can also block people from using their first or last name, the company name, or even ‘password’ in their passwords. But go beyond that, and give your employees tips such as using passphrases that don’t really make sense but are easy to remember.

2. Require password changes

Password reuse is one of the biggest reasons that accounts are getting hacked these days. Require your employees to change critical passwords – computer, email, important data access – every few months or so, and especially after there has been any suspicious activity or known security issue.

3. Have a password manager (and actually use it!)

With all of these requirements and unique passwords, it’s very hard to practice good password habits without some help. That’s where a password manager comes in. A password manager helps you store all of your passwords in one secure place. But most importantly, you have to update your passwords so that each one is strong and unique so it can protect your accounts the way you need it to.

4. Establish levels of access

For those accounts with the company’s most sensitive information, such as server credentials and SSH keys – called privileged accounts – you need to take even more care to protect against threats. The first step is to ensure that not everyone has access to them. Only delegate access to those who truly need it, and regularly re-evaluate if those people still need it.

5. Automatically rotate passwords

Once an employee accesses one of these privileged accounts, it’s possible they’ll know the password. To keep the account truly protected, you’ll want to change the password after each time that it’s accessed. With business-focused password managers, this can be done automatically and without hassle to end users or IT admins.

6. Review activity reports

Monitor activity on all company databases, especially to privileged accounts, with reports that include data on which account was accessed, by which user and when. If there is a problem, you’ll know about it and will be able to identify who was accessing the account at that specific time.

7. Educate employees

Your company is only as strong as your least-informed, most insecure employee. Your IT department could be following all of the practices above, but that means nothing if your employees aren’t following good practices as well. Educate employees on what it means to have secure passwords, and on how to use a password manager to help them put those best practices into action. This means not only creating strong passwords, but also not sharing them with co-workers or others, using a password manager to store passwords, changing passwords often, and using unique passwords for every single account.

While it takes time to implement these changes, the security and productivity benefits you’ll experience across the organisation more than compensate for the initial investment.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.